> Nice =>https://twitter.com/oauth/authenticate?force_login=true?{signed
> args} this stuff is working very well for me;) Thank you for your
> hint.

While that "works", I think that it shouldn't.

(1) I don't think that it's a legal url because it has two '?'s.
(2) force_login=true isn't part of the signed arguments so it should
be rejected.  (The whole point of signing is to block man-in-the-
middle attacks that alter arguments.)

I haven't tried including force_login=true in the signed arguments.
Are you saying that it doesn't work?  If so, I'd say that that's a
bug, as is the above.

Thanks,
-andy



On Dec 28, 9:41 pm, el moro <axel.sachm...@googlemail.com> wrote:
> Nice =>https://twitter.com/oauth/authenticate?force_login=true?{signed
> args} this stuff is working very well for me;) Thank you for your
> hint.
>
> Axel
>
> On 29 Dez., 03:21, Andy Freeman <ana...@earthlink.net> wrote:
>
>
>
> > > The difference (to my understanding) is that Authenticate does not
> > > authorize the app.
>
> > Huh?
>
> > Whether I use authorize or authenticate, my app can tweet etc on the
> > user's behalf.
>
> > What, exactly, do you think that authenticate and authorize do?  I
> > think that both can give my application a token that I can use to take
> > actions on the user's behalf.  I think that both do some sort of login
> > or check before doing so.
>
> > The difference that I see is in how twitter presents its questions
> > regarding the account that is allowing my application to do its thing.
>
> > That, and the bit that authenticate leaves folks logged in to twitter.
>
> > On Dec 28, 5:27 pm, Justyn <justyn.how...@gmail.com> wrote:
>
> > > The difference (to my understanding) is that Authenticate does not
> > > authorize the app. We need to have the app authorized but want to give
> > > the user the chance to choose which account to login with (and
> > > Authorize).
>
> > > Ideally, twitter state would not be effected, and user could authorize
> > > an app with desired account (regardless of session) without clicking
> > > "sign out".
>
> > > Justyn
>
> > > On Dec 28, 5:36 pm, Abraham Williams <4bra...@gmail.com> wrote:
>
> > > > That is true. Authenticate currently leaves the user logged in.
>
> > > > I would prefer that get fixed rather then adding force_login to 
> > > > authorize as
> > > > I view leaving users logged in as a security risk. Apparently Twitter 
> > > > does
> > > > not:
>
> > > >http://code.google.com/p/twitter-api/issues/detail?id=1070
>
> > > > On Mon, Dec 28, 2009 at 17:13, Andy Freeman <ana...@earthlink.net> 
> > > > wrote:
> > > > > > Then use authenticate. It accomplishes the same effect of authorize.
>
> > > > > Does it?  My notes say that authenticate leaves the user logged into
> > > > > twitter if they weren't before and that authorize doesn't.
>
> > > > > For my purposes, I'd like to force the user to specify their twitter
> > > > > account and password even if they're already logged in and not change
> > > > > their login state (as far as twitter is concerned) at all.
>
> > > > > I can imagine folks who'd like to allow users to quickly authorize the
> > > > > use of the logged in account (if any)
>
> > > > > I can't imagine anyone who'd want to change the user's logged in
> > > > > state.
>
> > > > > On Dec 27, 6:08 pm, Abraham Williams <4bra...@gmail.com> wrote:
> > > > > > Then use authenticate. It accomplishes the same effect of authorize.
>
> > > > > > On Sun, Dec 27, 2009 at 17:42, Justyn <justyn.how...@gmail.com> 
> > > > > > wrote:
> > > > > > > Thanks Abraham - I understand this is the current limitation, 
> > > > > > > however
> > > > > > > I think there is a need for the foce_login to be available with 
> > > > > > > the
> > > > > > > authorize function. The authorize landing page is confusing to 
> > > > > > > users
> > > > > > > who want to sign-in with an account that is different from their
> > > > > > > latest session. The "sign-out" option is not obvious to users. 
> > > > > > > This is
> > > > > > > based on user feedback, and I don't think we're the only ones 
> > > > > > > having
> > > > > > > this issue.
>
> > > > > > > On Dec 27, 3:39 pm, Abraham Williams <4bra...@gmail.com> wrote:
> > > > > > > > force_login=true only works onhttps://
> > > > > twitter.com/oauth/authenticatenot
> > > > > > > > onhttps://twitter.com/oauth/authorize.
>
> > > > > > > > On Sat, Dec 26, 2009 at 23:23, el moro 
> > > > > > > > <axel.sachm...@googlemail.com
>
> > > > > > > wrote:
> > > > > > > > > Hi, i'd like to use force_login too in my new Rails 
> > > > > > > > > application.
> > > > > This
> > > > > > > > > parameter seems to be buggy. For me it' s not working too.
>
> > > > > > > > > On 24 Dez., 05:18, Justyn <justyn.how...@gmail.com> wrote:
> > > > > > > > > > Hi guys - just wanted to make sure this stayed on the 
> > > > > > > > > > radar. I
> > > > > > > imagine
> > > > > > > > > > others would like to use force_login for the Authorize 
> > > > > > > > > > function?
>
> > > > > > > > > > On Dec 22, 4:46 pm, Justyn <justyn.how...@gmail.com> wrote:
>
> > > > > > > > > > > We've found it necessary to use the force_login method for
> > > > > > > Authorize
> > > > > > > > > > > because of the confusion many users have with the splash 
> > > > > > > > > > > page
> > > > > shown
> > > > > > > on
> > > > > > > > > > > Authorize (many times they want to authorize a different
> > > > > account
> > > > > > > than
> > > > > > > > > > > their latest session), however Authorize does not support
> > > > > > > force_login.
>
> > > > > > > > > > > Is there a way around this, or can we get a version of
> > > > > authorize
> > > > > > > that
> > > > > > > > > > > bypasses the "sign-out" link to get the full credential 
> > > > > > > > > > > input
> > > > > for
> > > > > > > our
> > > > > > > > > > > users?
>
> > > > > > > > > > > Many users have trouble with this.
>
> > > > > > > > > > > Thanks in advance!
>
> > > > > > > > > > > Justyn
>
> > > > > > > > --
> > > > > > > > Abraham Williams | Awesome Lists |http://awesomeli.st
> > > > > > > > Project | Intersect |http://intersect.labs.poseurtech.com
> > > > > > > > Hacker |http://abrah.am|http://twitter.com/abraham
> > > > > > > > This email is: [ ] shareable [x] ask first [ ] private.
> > > > > > > > Sent from Madison, WI, United States
>
> > > > > > --
> > > > > > Abraham Williams | Awesome Lists |http://awesomeli.st
> > > > > > Project | Intersect |http://intersect.labs.poseurtech.com
> > > > > > Hacker |http://abrah.am|http://twitter.com/abraham
> > > > > > This email is: [ ] shareable [x] ask first [ ] private.
> > > > > > Sent from Madison, WI, United States- Hide quoted text -
>
> > > > > > - Show quoted text -
>
> > > > --
> > > > Abraham Williams | Awesome Lists |http://awesomeli.st
> > > > Project | Intersect |http://intersect.labs.poseurtech.com
> > > > Hacker |http://abrah.am|http://twitter.com/abraham
> > > > This email is: [ ] shareable [x] ask first [ ] private.
> > > > Sent from Madison, WI, United States- Hide quoted text -
>
> > > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -

Reply via email to